Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp156324imm; Tue, 25 Sep 2018 18:20:21 -0700 (PDT) X-Google-Smtp-Source: ACcGV62NEaAuZ/tLJDPpqW3lermyzN/Xe3sq4YsLz5I0DAe/mhfGPpz7j4Yi2Khho/ZX1wypP7Hj X-Received: by 2002:a63:4b25:: with SMTP id y37-v6mr3374734pga.14.1537924821140; Tue, 25 Sep 2018 18:20:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1537924821; cv=none; d=google.com; s=arc-20160816; b=IKmeIvESR0AyjQ8Rz12nqYKHzEsZfyWT904lb2A9Tx51/cF/Mfnm5OVH7Vhbm54D0O svhcxRCdkIIgNnxHXNkhnsGdNZYn6ZsZhIAhVsU+J9BN23SCqkUulRTg8WPqbCds7L35 dt814QTWw2gmtFNsREz7P/k25ipjragXkTiORfTYm6Bi/Odaj6It7LwxsFUZpp7C5py1 oTlLpd1LsQMjAi4XOlvs82PSCQFompTZXTKARDYWz/+T6kJ3+ycr9xC+paVI4iTPRatX ji0/4PMsI0AFiGkEQmwU2kAxc23t8MIrRPZTwT+eXP3Gb6z+t1xErjCPpnrWSYA/jcCy znHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:references :in-reply-to:message-id:date:subject:cc:to:from; bh=59r5LidGNCB0GhQRJGe4EiVnbpFyUxG11fTxpT7H5ng=; b=svmDGmiwPsheVKtc+XhqENGRKqyNh4JI6RFtqSfrdOxw4LbnvRVMc+1nsy/kyLBkSE B0NcTL8wKpIDn9+CmQ+o/z/yvSKPbOXPwbyBqAAJ+hhwwf2Jx240FjLnxf33g/h1kxaW S8hted2/ybb727kS9F8T+giCodhGJVJjqKiigYK03TvFXGuY1TUCe05S9w9JI+/bVstq iOJLjrhbMdMNl08jtiHzbhnMDa3i2B3lk6sZtaFvpN1ZnvuCrEw4UZOlV9WdC91bUSTj IjKGyWawOQ64cK/aniPbgoJQij+Opq6J6XQWkQHUjsJDouitg37AJl/dh36Qlnc8WDVw 7LMw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p66-v6si3514395pfp.237.2018.09.25.18.20.05; Tue, 25 Sep 2018 18:20:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=intel.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727244AbeIZH3b (ORCPT + 99 others); Wed, 26 Sep 2018 03:29:31 -0400 Received: from mga11.intel.com ([192.55.52.93]:52990 "EHLO mga11.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726456AbeIZH3a (ORCPT ); Wed, 26 Sep 2018 03:29:30 -0400 X-Amp-Result: SKIPPED(no attachment in message) X-Amp-File-Uploaded: False Received: from fmsmga007.fm.intel.com ([10.253.24.52]) by fmsmga102.fm.intel.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Sep 2018 18:18:58 -0700 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.54,304,1534834800"; d="scan'208";a="72890390" Received: from skl-02.jf.intel.com ([10.54.74.62]) by fmsmga007.fm.intel.com with ESMTP; 25 Sep 2018 18:17:17 -0700 From: Tim Chen To: Jiri Kosina , Thomas Gleixner Cc: Tim Chen , Tom Lendacky , Ingo Molnar , Peter Zijlstra , Josh Poimboeuf , Andrea Arcangeli , David Woodhouse , Andi Kleen , Dave Hansen , Casey Schaufler , Asit Mallick , Arjan van de Ven , Jon Masters , linux-kernel@vger.kernel.org, x86@kernel.org Subject: [Patch v2 2/4] x86/speculation: Provide application property based STIBP protection Date: Tue, 25 Sep 2018 17:43:57 -0700 Message-Id: X-Mailer: git-send-email 2.9.4 In-Reply-To: References: In-Reply-To: References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org This patch provides an application property based spectre_v2 protection with STIBP against attack from another app from a sibling hyper-thread. For security sensitive non-dumpable app, STIBP will be turned on before switching to it for Intel processors vulnerable to spectre_v2. Signed-off-by: Tim Chen --- arch/x86/include/asm/msr-index.h | 3 ++- arch/x86/include/asm/spec-ctrl.h | 12 ++++++++++++ arch/x86/include/asm/thread_info.h | 4 +++- arch/x86/kernel/cpu/bugs.c | 14 +++++++++++--- arch/x86/kernel/process.c | 14 ++++++++++---- arch/x86/mm/tlb.c | 22 ++++++++++++++++++++++ 6 files changed, 60 insertions(+), 9 deletions(-) diff --git a/arch/x86/include/asm/msr-index.h b/arch/x86/include/asm/msr-index.h index 4731f0c..0e43388 100644 --- a/arch/x86/include/asm/msr-index.h +++ b/arch/x86/include/asm/msr-index.h @@ -41,7 +41,8 @@ #define MSR_IA32_SPEC_CTRL 0x00000048 /* Speculation Control */ #define SPEC_CTRL_IBRS (1 << 0) /* Indirect Branch Restricted Speculation */ -#define SPEC_CTRL_STIBP (1 << 1) /* Single Thread Indirect Branch Predictors */ +#define SPEC_CTRL_STIBP_SHIFT 1 /* Single Thread Indirect Branch Predictor bit */ +#define SPEC_CTRL_STIBP (1 << SPEC_CTRL_STIBP_SHIFT) /* Single Thread Indirect Branch Predictors */ #define SPEC_CTRL_SSBD_SHIFT 2 /* Speculative Store Bypass Disable bit */ #define SPEC_CTRL_SSBD (1 << SPEC_CTRL_SSBD_SHIFT) /* Speculative Store Bypass Disable */ diff --git a/arch/x86/include/asm/spec-ctrl.h b/arch/x86/include/asm/spec-ctrl.h index ae7c2c5..6a962b8 100644 --- a/arch/x86/include/asm/spec-ctrl.h +++ b/arch/x86/include/asm/spec-ctrl.h @@ -53,12 +53,24 @@ static inline u64 ssbd_tif_to_spec_ctrl(u64 tifn) return (tifn & _TIF_SSBD) >> (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); } +static inline u64 stibp_tif_to_spec_ctrl(u64 tifn) +{ + BUILD_BUG_ON(TIF_STIBP < SPEC_CTRL_STIBP_SHIFT); + return (tifn & _TIF_STIBP) >> (TIF_STIBP - SPEC_CTRL_STIBP_SHIFT); +} + static inline unsigned long ssbd_spec_ctrl_to_tif(u64 spec_ctrl) { BUILD_BUG_ON(TIF_SSBD < SPEC_CTRL_SSBD_SHIFT); return (spec_ctrl & SPEC_CTRL_SSBD) << (TIF_SSBD - SPEC_CTRL_SSBD_SHIFT); } +static inline unsigned long stibp_spec_ctrl_to_tif(u64 spec_ctrl) +{ + BUILD_BUG_ON(TIF_STIBP < SPEC_CTRL_STIBP_SHIFT); + return (spec_ctrl & SPEC_CTRL_STIBP) << (TIF_STIBP - SPEC_CTRL_STIBP_SHIFT); +} + static inline u64 ssbd_tif_to_amd_ls_cfg(u64 tifn) { return (tifn & _TIF_SSBD) ? x86_amd_ls_cfg_ssbd_mask : 0ULL; diff --git a/arch/x86/include/asm/thread_info.h b/arch/x86/include/asm/thread_info.h index 2ff2a30..40c58c286 100644 --- a/arch/x86/include/asm/thread_info.h +++ b/arch/x86/include/asm/thread_info.h @@ -83,6 +83,7 @@ struct thread_info { #define TIF_SYSCALL_EMU 6 /* syscall emulation active */ #define TIF_SYSCALL_AUDIT 7 /* syscall auditing active */ #define TIF_SECCOMP 8 /* secure computing */ +#define TIF_STIBP 9 /* Single threaded indirect branch predict */ #define TIF_USER_RETURN_NOTIFY 11 /* notify kernel of userspace return */ #define TIF_UPROBE 12 /* breakpointed or singlestepping */ #define TIF_PATCH_PENDING 13 /* pending live patching update */ @@ -110,6 +111,7 @@ struct thread_info { #define _TIF_SYSCALL_EMU (1 << TIF_SYSCALL_EMU) #define _TIF_SYSCALL_AUDIT (1 << TIF_SYSCALL_AUDIT) #define _TIF_SECCOMP (1 << TIF_SECCOMP) +#define _TIF_STIBP (1 << TIF_STIBP) #define _TIF_USER_RETURN_NOTIFY (1 << TIF_USER_RETURN_NOTIFY) #define _TIF_UPROBE (1 << TIF_UPROBE) #define _TIF_PATCH_PENDING (1 << TIF_PATCH_PENDING) @@ -146,7 +148,7 @@ struct thread_info { /* flags to check in __switch_to() */ #define _TIF_WORK_CTXSW \ - (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD) + (_TIF_IO_BITMAP|_TIF_NOCPUID|_TIF_NOTSC|_TIF_BLOCKSTEP|_TIF_SSBD|_TIF_STIBP) #define _TIF_WORK_CTXSW_PREV (_TIF_WORK_CTXSW|_TIF_USER_RETURN_NOTIFY) #define _TIF_WORK_CTXSW_NEXT (_TIF_WORK_CTXSW) diff --git a/arch/x86/kernel/cpu/bugs.c b/arch/x86/kernel/cpu/bugs.c index c967012..052f1a5 100644 --- a/arch/x86/kernel/cpu/bugs.c +++ b/arch/x86/kernel/cpu/bugs.c @@ -163,7 +163,7 @@ EXPORT_SYMBOL(spectre_v2_app_lite); static enum spectre_v2_mitigation spectre_v2_enabled __ro_after_init = SPECTRE_V2_NONE; -static enum spectre_v2_mitigation spectre_v2_app2app_enabled __ro_after_init = +static enum spectre_v2_app2app_mitigation spectre_v2_app2app_enabled __ro_after_init = SPECTRE_V2_APP2APP_NONE; void @@ -187,6 +187,9 @@ x86_virt_spec_ctrl(u64 guest_spec_ctrl, u64 guest_virt_spec_ctrl, bool setguest) static_cpu_has(X86_FEATURE_AMD_SSBD)) hostval |= ssbd_tif_to_spec_ctrl(ti->flags); + if (static_branch_unlikely(&spectre_v2_app_lite)) + hostval |= stibp_tif_to_spec_ctrl(ti->flags); + if (hostval != guestval) { msrval = setguest ? guestval : hostval; wrmsrl(MSR_IA32_SPEC_CTRL, msrval); @@ -383,6 +386,11 @@ static enum spectre_v2_mitigation_cmd __init spectre_v2_parse_cmdline(void) static bool stibp_needed(void) { + /* + * Determine if we want to leave STIBP always on. + * For lite option, we enable STIBP based on a process's + * flag during context switch. + */ if (static_branch_unlikely(&spectre_v2_app_lite)) return false; @@ -958,14 +966,14 @@ static ssize_t cpu_show_common(struct device *dev, struct device_attribute *attr ret = sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB-lite" : "", boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", - (x86_spec_ctrl_base & SPEC_CTRL_STIBP) ? ", STIBP" : "", + ", STIBP-lite", boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", spectre_v2_module_string()); else ret = sprintf(buf, "%s%s%s%s%s%s\n", spectre_v2_strings[spectre_v2_enabled], boot_cpu_has(X86_FEATURE_USE_IBPB) ? ", IBPB-strict" : "", boot_cpu_has(X86_FEATURE_USE_IBRS_FW) ? ", IBRS_FW" : "", - (x86_spec_ctrl_base & SPEC_CTRL_STIBP) ? ", STIBP" : "", + (x86_spec_ctrl_base & SPEC_CTRL_STIBP) ? ", STIBP-strict" : "", boot_cpu_has(X86_FEATURE_RSB_CTXSW) ? ", RSB filling" : "", spectre_v2_module_string()); mutex_unlock(&spec_ctrl_mutex); diff --git a/arch/x86/kernel/process.c b/arch/x86/kernel/process.c index c93fcfd..cb24014 100644 --- a/arch/x86/kernel/process.c +++ b/arch/x86/kernel/process.c @@ -395,9 +395,15 @@ static __always_inline void amd_set_ssb_virt_state(unsigned long tifn) wrmsrl(MSR_AMD64_VIRT_SPEC_CTRL, ssbd_tif_to_spec_ctrl(tifn)); } -static __always_inline void intel_set_ssb_state(unsigned long tifn) +static __always_inline void set_spec_ctrl_state(unsigned long tifn) { - u64 msr = x86_spec_ctrl_base | ssbd_tif_to_spec_ctrl(tifn); + u64 msr = x86_spec_ctrl_base; + + if (static_cpu_has(X86_FEATURE_SSBD)) + msr |= ssbd_tif_to_spec_ctrl(tifn); + + if (cpu_smt_control == CPU_SMT_ENABLED) + msr |= stibp_tif_to_spec_ctrl(tifn); wrmsrl(MSR_IA32_SPEC_CTRL, msr); } @@ -409,7 +415,7 @@ static __always_inline void __speculative_store_bypass_update(unsigned long tifn else if (static_cpu_has(X86_FEATURE_LS_CFG_SSBD)) amd_set_core_ssb_state(tifn); else - intel_set_ssb_state(tifn); + set_spec_ctrl_state(tifn); } void speculative_store_bypass_update(unsigned long tif) @@ -451,7 +457,7 @@ void __switch_to_xtra(struct task_struct *prev_p, struct task_struct *next_p, if ((tifp ^ tifn) & _TIF_NOCPUID) set_cpuid_faulting(!!(tifn & _TIF_NOCPUID)); - if ((tifp ^ tifn) & _TIF_SSBD) + if ((tifp ^ tifn) & (_TIF_SSBD | _TIF_STIBP)) __speculative_store_bypass_update(tifn); } diff --git a/arch/x86/mm/tlb.c b/arch/x86/mm/tlb.c index 14522aa..b3d1daa 100644 --- a/arch/x86/mm/tlb.c +++ b/arch/x86/mm/tlb.c @@ -205,6 +205,25 @@ static bool ibpb_needed(struct task_struct *tsk, u64 last_ctx_id) return (__ptrace_may_access(tsk, PTRACE_MODE_IBPB)); } +static void set_stibp(struct task_struct *tsk) +{ + /* + * For lite protection mode, we set STIBP only + * for non-dumpable processes. + */ + + if (!static_branch_unlikely(&spectre_v2_app_lite)) + return; + + if (!tsk || !tsk->mm) + return; + + if (get_dumpable(tsk->mm) != SUID_DUMP_USER) + set_tsk_thread_flag(tsk, TIF_STIBP); + else + clear_tsk_thread_flag(tsk, TIF_STIBP); +} + void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, struct task_struct *tsk) { @@ -296,6 +315,9 @@ void switch_mm_irqs_off(struct mm_struct *prev, struct mm_struct *next, ibpb_needed(tsk, last_ctx_id)) indirect_branch_prediction_barrier(); + if (static_cpu_has(X86_FEATURE_STIBP)) + set_stibp(tsk); + if (IS_ENABLED(CONFIG_VMAP_STACK)) { /* * If our current stack is in vmalloc space and isn't -- 2.9.4